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Methods for modeling real-time peri- 
odic and aperiodic task scheduling and mes- 
sage passing within multitask systems. The 
methods utilize undelayed and single sample 
delayed message connections among software 
task objects and hardware objects. Task priori- 
lies are assigned inversely with period or dead- 
line, so that tasks with shorter periods or dead- 
lines have higher scheduling priorities. Periods 
of high-criticality tasks are decomposed into 
smaller pieces that are sequentially dispatched 
at higher rates where the initial assignment of 
priority is inconsistent with task criticality. The 
methods provide for deterministic communica- 
tion among periodic processes. 
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WO 00/70455 PCIYUS00/13356 
TASK SCHEDULING AND MESSAGE PASSING 



Technical Field 

The present invention relates generally to task scheduling and message passing 
within task systems, and in particular to modeling real-time periodic and aperiodic task 
scheduling and message passing adapted to analyze the timing befaavior within 
multitask systems and to define electronic systems and instructions for carrying out 
such scheduling and message passing. 

A portion of the disclosure of this patent document contains material which is 
subject to copyright protection. The copyright owner has no objection to the facsimile 
reproduction by anyone of the patent disclosure, as it appears in tfac Patent and 
Trademark Office patent files or records, but otherwise reserves all copyright rights 
whatsoever. The following notice applies to the software and data as described below 
and in the drawings hereto: Copyright © 1999, Honeywell, Inc., ^All Rights Reserved. 

, Background 

Computer processes are often subdivided into a variety of functions which may 
be executed as tasks in serial and/or parallel fashion. These computer processes can be 
used to gather and act upon information, and to bring about some result in response to 
the information. These functional task systems find use in a variety of important 
environments. Examples may include monitor and control of an industrial process, such 
as a power generation and distribution system, or monitor and control of complex 
equipment, such as a commercial airliner. 

Classical control functions rely on data flows between periodically executed 
tasks, with the results of a task delivered at the next dispatch of tlhat task. This behavior 
allows cyclic data dependencies among tasks, i.e., feed-back loops, and is consistent 
with the assumptions underlying the mathematical analysis of discrete ^me dynamic 
systems. A message passing communication model is more suitable for partitioned 
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multiprocessor systems than a shared memory communication model, especially 
systems that are loosely coupled to maintain a high degree of hardware fault isolation. 

In many mission critical systems software needs to be modularized using an 
appropriate functional breakdown, which often requires decomposing a traditional 
5 control task into multiple communicating subtasks. This may require end-to-end 

ordering and scheduling of certain subtasks and messages. For example, in an avionics 
system, inertial measurement processing and autopiloting might be implemented as 
separate functions performed by separate task sets. There would be an end-to-end 
deadline from reading sensor data to outputting actuator commands, and task and 

10 message order dependencies within this deadline. 

The increasing complexity of hardware makes it harder to accurately bound 
computation and communication times. Caches, for example, make it more difficult to 
accurately bound worst-case compute times, even for algorithms whose control flow is 
data-independent Actual worst-case compute times may be substantially less than 

1 5 bounds that can be easily established during development. Actual compute times may 
vary significantly across different dispatches of the same task. Systems will be 
designed so that only the more critical functions are guaranteed with highest assurance 
to be schedulable under worst-case compute time bounds. Load shredding of the less 
critical tasks will occur during any intervals of transient processor overload. 

20 High-assurance systems have additional requirements. The dependency ordering 

of computations and communications, and the exact times of interactions with the 
external world, must produce deterministic outcomes. Uncertainties or variations in 
task compute times must not affect the values of designated control outputs. It is 
necessary to formally model and analyze the timing behavior of a system. 

25 Specifications, models, analyses and code all need to be well-structured, 

understandable, traceable and amenable to multiple independent means of verification. 

There is a need in the art for solutions in modeling real-time periodic and 
aperiodic task scheduling and message passing useful in integrated mission-critical 
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systems, or in systems with high-rate applications and microcontrollers having 
constrained throughput and/or memory. 

Summary 

5 The invention addresses deterministic communication between two periodic 

processes. It includes a communication model, a deadline reduction technique, a period 
transformation technique and implementation efficiency buffer assignment rules. 

In one embodiment, the invention provides a method of generating an assigned 
scheduling priority of a plurality of tasks in a multitask system. The method includes 

10 defining a first list of the plurality of tasks, wherein the first list of the plurality of tasks 
is sorted with a task deadline as a primary key and a task crfeticality as a secondary key. 
The method further includes transforming the task deadline of each of the plurality of 
tasks that do not produce undelayed messages. The transformation occurs one at a time 
using a transformation scenario beginning with the task having the least task deadline, 

15 thereby producing a transformed task deadline for each of tfae plurality of tasks. The 
method still further includes defining a second list of the plurality of tasks, wherein the 
second list of the plurality of tasks is sorted with the transformed task deadline as the 
primary key and wherein each transformed task deadline of a task having a first task 
criticality is less than any transformed task deadline of a task having a task criticahty 

20 less than the first task criticality. Scheduling priority is them assigned in the order of the 
second list of the plurality of tasks, thereby producing the assigned scheduling priority. 
In a further embodiment, the multitask system is a flight control system. 

In another embodiment, the invention provides a method of operating a 
multitask system. The method includes communicating among tasks, with each task 

25 having a priority and a criticality. Each task is a sender and/or receiver of undelayed 
messages and/or single sample delay messages. The method further includes assigning 
a priority to each sender task sending undelayed messages such that the^priority of the 
sender task is higher than the priority of any downstream receiver task. The method 
further includes assigning a priority to each sender task thati does not send undelayed 
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messages, where each such task having a first criticality has a priority greater than any 
such task having a criticality lower than the first criticality. The method still further 
includes executing each of the tasks on a processor according to their assigned 
priorities. In yet another embodiment, the multitask system is a flight control system. 
5 In a further embodiment, the invention provides a multitask system. The 

multitask system includes a processor and a plurality of tasks operating on the 
processor. Each task is of a periodic or aperiodic task type. Each task has associated 
with it at least one I/O buffer. Communications with each I/O buffer is adapted to either 
undelayed messages or single sample delay messages. An executive task having a 

10 periodic dispatcher, an event handler and a service component is utilized for controlling 
dispatching of tasks and communications among the I/O buffers. The periodic 
dispatcher manages dispatching of periodic tasks and their single sample delay 
communications. The event handler manages dispatching of aperiodic tasks and their 
single sample delay message communications. The service component manages task 

15 completions and all undelayed message communications. In a still further embodiment* 
the multitask system is a flight control system. 

Brief Description of the Drawings 
Figure 1 A is a schematic of a flight control system for use in accordance with am 
20 embodiment of the invention. 

Figure IB is a schematic of a redundant flight control system for use in 
accordance with an embodiment of the invention. 

Figure 1C is a block diagram of a multitask system in accordance with an 
embodiment of the invention. 
25 Figure 2 is an execution timeline of a task in accordance with an embodiment off 

the invention. 

Figure 3 is a schematic of connection types for message passin^in accordance 
with an embodiment of the invention illustrated with task objects. 
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Figure 4 is a schematic of a hardware object in accordance with an embodiment 
of the invention. 

Figure 5 is a schematic of end-to-end computations and communications in 
accordance with an embodiment of the invention. 
5 Figure 6 is a schematic of a task executive in accordance with an embodiment of 

the invention. 

Figure 7 is a schematic illustrating executive buffers in accordance with an 
embodiment of the invention. 

Figure 8 is a process flowchart of a dispatcher task in accordance with an 
10 embodiment of the invention. 

Figure 9 is a process flowchart of an event handler in accordance with an 
embodiment of the invention. 

Figure 10 is a process flowchart of a service component in accordance with an 
embodiment of the invention. 
1 5 Figure 1 1 is a process flowchart of task list generation in accordance with an 

embodiment of the invention. 

Figure 12 is an illustration of example transformation scenarios for use in 
accordance with embodiments of the invention. 

Figure 13 is a process flowchart of task transformation in accordance with an 
20 embodiment of the invention. 

Figure 14 is a block diagram of an electronic system in accordance with an 
embodiment of the invention. 

Description of the Embodiments 
25 In the following detailed description of the preferred embodiments, reference is 

made to the accompanying drawings which form a part hereof, and in which is shown 
by way of illustration specific embodiments in which the inventions may be practiced. 
These embodiments are described in sufficient detail to enable those skilled in the art to 
practice the invention, and it is to be understood that other embodiments may be utilized 
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10 



15 



20 



and that process or mechanical changes may be made without departing from the scope 
of the present invention. The following detailed description is, therefore, not to be 
taken in a limiting sense, and the scope of the present invention is defined only by the 
appended claims. 

Figure 1 A is a schematic of a flight control system 100. Flight control task 105 
is executed at some periodic rate. Flight control task 105 receives sensor data (S) 115 
from sensor 1 10, computes a function / with sensor data 1 15 and state data 130 
computed in a previous dispatch (XJ as inputs, and writes an output (X^,) 120 to an 
actuator 125. This may be written as X^, ^flX^, S). Sensor data 1 15 should be 
transferred substantially without delay to flight control task 105, and flight control task 
105 must not start executing until it has received the sensor data 115. This undelayedS 
transfer is represented with a double-headed arrow. 

Actuator output 120 computed from sensor data 115 read at time t should be 
written at exactly f + A with minimal jitter, where A and the task period are determined 
and specified by a control engineer based on system requirements. Often, A is a 
deadline that occurs before the next dispatch of the flight control task. The state 
information (X^) 130 computed at the m* dispatch of the task must be received at the 
(m+1)* dispatch of the task. This delayed data flow is represented by the feedback 
connection from the flight control task to itself. The feedback data from the flight 
control task to itself can also be transferred with some fixed and invariable delay, e.&., 
the period of that task. These latter two transfers are termed single sample delay (SSD) 
connections. 

If data is sent from a periodic task A to a periodic task B (possibly having 
different rates), and if the i* dispatch of B receives data from the j* dispatch of A in sany 
schedulable run, it must do so in every scheduiable run to satisfy feedback control 
determinacy requirements. This is true for undelayed as well as SSD connections. 



Figure IB shows a variation of a flight control system 100 having redundancy. 

Flight control system 100 further includes a primary flight control task 105 A, a 
secondary flight control task 105B and a comparator task 135 to select the output (120A 
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or 1 20B) used to control the system. The end-to-end deadline A between reading the 
sensor input 1 1 5 and writing the actuator output 1 20 applies to the execution of all three 
tasks (105A, 105B and 135) and to the intermediate data transfer between the two flight 
control tasks 105A and 105B and the comparator task 135. The data transfer from the 
5 flight control tasks 1 05 A and 105B to the comparator task i 35 must be substantially 
undelayed, and a scheduling precedence constraint exists between the two flight control 
tasks 105A and 105B and the comparator task 135. 

In one embodiment of the invention, the system provides preemptive fixed 
priority scheduling of periodic and aperiodic tasks and assignments between message 

1 0 buffer variables. Priorities are assigned inversely with period or deadline, so that tasks 
with shorter periods or deadlines have higher scheduling priorities. If the initial priority 
assignment is inconsistent with task criticalities then the periods and/or deadlines of 
high-criticality tasks are transformed, i.e., the tasks are decomposed into smaller pieces 
that are sequentially dispatched at higher rates. For aperiodic scheduling, the 

1 5 embodiment uses both deferrable server and period enforcement algorithms. In another 
embodiment, the system provides a real-time slack scheduler. 

An exact characterization algorithm extended to provide sensitivity analysis 
information is utilized for schedulability analysis. The example embodiment has been 
implemented in a MetaH toolset that automatically generates and analyzes formal 

20 schedulability, reliability, and partitioning models of a system; and automatically 
composes the system, building images for each system processor, using generated 
scheduling and communication code. The MetaH toolset is developed and distributed 
by Honeywell, Inc., Minneapolis, Minnesota, USA. Other Computer-Aided Software 
Engineering (CASE) tools may be used with the various embodiments of the invention. 

25 With reference to Figure 1 C, task system 100 is a multitask system having at 

least two schedulable application tasks 1 1 0. The scheduling of application tasks 1 10 
within task system 100, as well as the communications of application tjsks 110, is 
controlled by an executive task 1 50. Each task 1 10 in the task system 100 is repeatedly 
dispatched, either at some fixed rate for periodic tasks or in response to some event, i.e. t 
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software-generated, interrupt or other event, for aperiodic tasks. A task 1 10 resides, or 
is performed by, only one processor 120. 

Figure 2 shows the task execution timeline of a task 1 10 following each dispatch 
and the terms defined herein for selected instants and intervals of time. The term **task 
5 instance" refers to a specific dispatch of a task 1 10 and the associated sequence of 
following activities and scheduling points. Between each dispatch of a task 110 and the 
following deadline, a task must perform a certain amount of work, receiving a certain 
amount of compute time from the processor. However, the processor may also spend 
some time working on other tasks 1 10 between dispatch and completion, during which 

10 intervals a task 1 10 is said to be preempted by other tasks 1 10. An important 
observation to make is that task dispatches, i.e., when a task 1 10 is placed in a 
prioritized ready queue, and deadlines, i.e., some system-defined deadline or other 
constraint for completion of the task, occur at deterministic times for periodic tasks. 
However, task start time, i.e., when computing of the task begins, and complete tumes, 

15 i.e., when computing of the task is complete, may vary depending on scheduling and 
compute time requirements. 

Tasks 1 1 0 are characterized using four primary parameters. The class of a task 
is either periodic, i.e., regularly scheduled for dispatch, or aperiodic, i.e., dispatcMed in 
response to some non-scheduled event The period of a task is the interval between 

20 dispatches of a periodic task, or the minimum interval between event arrivals for aan 
aperiodic task. The compute tome of a task is the upper bound on the amount of 
processor time required for am instance of that task to complete after each dispatcftu In 
practice, the degree of assurance that the actual compute time will not exceed this value 
varies depending on the task. 

25 The criticality of a task in one embodiment is an integer value used to canHrol 

scheduling behavior when processors are overloaded, i.e., where some subset of tasks is 
unschedulable. While such a numerical ranking system is convenient for 
implementation, other ranking systems may be utilized. The schedulability of a task is 
affected only by tasks on the same processor having a criticality equal or greater to its 
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own criticality. Lower criticality tasks may exceed their stated compute times, or, for 
aperiodic tasks, may be dispatched at a higher rate than their stated periods, without 
causing a higher criticality task to miss a deadline. 

In one embodiment, messages are values that are transferred from output buffer 
5 variables in sender tasks to input buffer variables in receiver tasks according to a 
specified set of connections. In the MetaH specification language, each task may have 
one or more input or output ports that designate buffer variable declarations in the task 
source code, and connections can be made between compatibly typed ports as illustrated 
in Figure 3. As depicted in Figure 3, task 1 has a single sample delay output buffer 

10 310 and an undelayed input buffer 340. Task 1 10 2 has a single sample delay input 
buffer 320 and an undelayed output buffer 330. Tasks 1 10, and 1 10 2 may have 
additional or other input and output buffers. 

Single sample delay output buffer 310 provides its message value to single 
sample delay input buffer 320. Undelayed output buffer 330 provides its message value 

15 to undelayed input buffer 340. 

Incoming messages are placed in the input buffers of a receiver task by the time 
it starts, and outgoing messages are presumed available in the output buffers of a task 
when it completes. In the absence of any other constraints on task scheduling in a 
schedulable system, incoming messages should be available at task dispatch, and 

20 outgoing messages may not be available until the task deadline. A task is a sender when 
sending a message value from its output buffer, and a receiver when receiving a 
message value at its input buffer. 

In the example embodiment, there are two types of message connections. The 
first is a single sample delay connection. The second is an undelayed message 

25 connection. 

A single sample delay connection causes the value received by a task instance to 
be the one available at the most recent sender deadline that preceded, oi* occurred at the 
same instant as, the receiver dispatch. In one embodiment, an exception occurs when 
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the sender is an aperiodic task, such that the message value is obtained at die complete 
time rather than the deadline of the sender. 

Hardware objects are allowed to have ports, e.g., device control registers 
mapped into memory space. As shown in Figure 4, hardware object 400 may have one 
5 or more hardware input potts 4 1 0 and one or more hardware output ports 420. 

Transfers to or from hardware ports occur at the deadline of the sender task or dispatch 
of the receiver task instance, respectively. As noted above for aperiodic tasks, the 
transfers to a hardware port from an aperiodic task may occur at the task's complete 
time. Hardware objects provide message values to tasks, e.g., keyboard entry o»f data or 

1 0 data from a machine-readable medium, as well as accept message values from tasks, 
e.g., for display to an end-user or to control industrial equipment. Similar to tasks, a 
hardware object is a sender v/hen sending a message value from its output port., and a 
receiver when receiving a message value at its input port 

Any task or device that outputs and does not input undelayed messages is termed 

1 5 a source. Any task or device that inputs and does not output undelayed messages is 
termed a sink. Any task or device that outputs undelayed messages is termed a 
producer. A source, by definition, is a producer. Any task or device that inputs 
undelayed messages is termed a consumer. A sink, by definition, is a consumer. 

Since deadlines and dispatches occur at deterministic times for periodic tasks, 

20 this results in a strictly deterministic data dependence among periodic tasks. Hiat is, if 
the /* instance of a task receives data from the i* instance of another task in airy 
schedulable run of the system, it will do so in all schedulable runs of the system. Figure 
5 shows an example of undelayed message passing between periodic tasks, where A has 
undelayed connections to B and C, and B has an undelayed connection toC. En Figure 

25 5, the 1* instance of task C receives input from the I s1 instances of tasks A and B, while 
the 2 nd instance of task C receives input from the 3* instance of task A and the? 1 st 
instance of task B. This dependency among periodic tasks with undelajed message 
passing will repeat in every schedulable run of the task system. The exceptions allowed 
in the case of an aperiodic sender is deemed an acceptable loss of determinisma because 



10 



PCT/USOO/13356 

WO 00/704S5 

an.«s a simpler implementauon. ^^^^n****** 
An -.delayed connecho. „ am ^ M , the message 

, The set of undelayed message conn 

tom » directed «yc»c graph. „„,,,„ ..^delayed 

• „f,*riodic tasks that communicates by an »»oe y 
10 2 . Every pan of penoomtas . ie ^pencdofonctnindbe 

c^ccdonmuathavehan^cPC^- 

15 T ^are 5ms .Oms, 20ms and 30ms, respectively. 

C, and date 5ms, i"™* u,™,_iiohavealower 

-- — peHodic^"^ 
to ^cuyedd«s«n^«-^ ^synchmncusdispst* in** 

^sye.hsonc^d^^mod*^^ 

mccivers^isdCayednnh.^n-^ >* oricatos hasdtcdcad li ncof«5c 
c to cfec^«o»s^und. 1 ayedmes«e ^^^^^^ 

25 Mreceiverrasa- Referring again to ^^.^.-t,*— •* 

B ^C,^Bhssa,und..ayedco^n^,r. te Coyer 

s^haveaUghesdlspMchnueOum^vees. In 
samples the data received fiom B. 



U 



WO 00/70455 



PCT/US00/13356 



If either the sender or the receiver task is aperiodic, the ordering constraint and 
message transfer applies to the next instance of the receiver task that is dispatched at or 
following the dispatch of the sender task. This allows, for example, aperiodic tasks to 
pass data and dispatch successor aperiodic tasks to form trees of coordinating task 
5 instances. 

If an undelayed connection comes from a hardware output port, the message 
value is transferred at the dispatch of the receiver task. If an undelayed connection goes 
to a hardware input port, the value is transferred at the completion of the sender task. 
Note that undelayed connections to hardware ports are not temporally deterministic. 

1 0 Accordingly, they may exhibit jitter due to compute time and scheduling variability. 

In one embodiment, executive task 150 schedules tasks using a preemptive fixed 
priority discipline. Executive task 150 is responsible for managing task priorities, 
dispatching tasks (placing them on a prioritized ready queue), suspending tasfes 
(removing them from the ready queue), and moving data between task buffer variables. 

15 Executive task 150, with reference to Figure 6, includes three components: 

1 . a periodic dispatcher task 610 that is the highest priority task in the task 
system 100 and manages periodic dispatches of tasks 110 and their single 
sample delay communications, 

2. an event handler 620 that manages aperiodic dispatches of tasks 1 10 and 
20 their single sample delay communications, 

3. a service component 630 that manages task completions and all 
undelayed communications of tasks 110. 

These three components may be automatically generated from a MetaH specification of 
tasks and their message and event connections. 
25 Message passing is implemented by assignments between task buffer variables. 

In many cases an executive buffer variable may be allocated and used within the 
executive task 150, e.g., connections between non-harmonic or aperiodfe tasks. In 
general, movement of message data is implemented as an assignment from a sender's 
buffer variable to an executive buffer variable followed by an assignment fram the 
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executive buffer variable to the receiver's buffer variable. For example, in Figure 7, 
sender task 1 10, passes its message value from an output buffer 710 to a shadow output 
buffer 720, an executive buffer. Shadow output buffer 720 in turn passes the message 
value to shadow input buffer 730, another executive buffer. Shadow input buffer 730 
5 passes the message value to an input buffer 740 of receiver task 1 1 0 2 . The two 
assignments, i.e., from sender to executive and executive to receiver, may occur at 
different scheduling points, e.g„ the first at the deadline of a sender periodic task 1 10, 
and the second at the dispatch of a receiver periodic task 1 10 2 . In one embodiment, the 
intermediate assignment of a message value to an executive buffer variable could be 

10 optimized away for connections between harmonic periodic tasks whose deadlines equal 
their periods, such that sender task 1 1 0, passes its message value directly to receiver 
task 1 1 0j, as shown with dashed line 750; In this case, the executive buffers are 
eliminated. In another embodiment, the shadow output buffer and the shadow input 
buffer are the same executive buffer, for convenience termed a shadow input buffer. 

1 5 The dispatcher task 610 performs single sample delay message passing between 

periodic tasks and perfonns periodic task dispatching. The dispatcher task 610 is 
typically implemented as the handler of a periodic hardware clock interrupt that occurs 
nearly simultaneously on all processors. The interrupt rate should be selected so that 
every dispatch and deadline is an integer multiple of the interrapt period, eg., the 

20 greatest common divisor of the periods and deadlines that appear in the system 
specification. 

At each interrupt, a cycle counter is incremented by 1 (modulo some large value 
that is a common multiple of all periods). The periodic actions that are to occur at each 
interrupt are determined by whether or not the cycle counter is evenly divisible by the 
25 periodicity of an action. 

In one embodiment, a process flow of dispatcher task 61 0 can be described with 
reference to Figure 8. Figure 8 is a process flowchart having action boles 810, 820, 840 
and 850, as well as decision box 830. In actio© box 810, dispatcher task 610 is made 
ready to run at the periodic interrupt, such as a hardware clock interrupt Upon 
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receiving the periodic interrupt, the cycle counter is incremented in action box 820. 
Decision box 830 determines if any tasks scheduled are to be dispatched this cycle, i.e., 
where the cycle evenly divides the quantity of the task period divided by the periodic 
interrupt If tasks are to be dispatched in decision box 830 9 action box 840 determines 
5 the set (S) of all tasks to be dispatched Buffer-to-buffer message assignments are made 
in action box 850 for those periodic tasks meeting the criteria of decision box 830, and 
those tasks are dispatched. Control is then returned to the tasks interrupted by the 
periodic interrupt Dispatch of the periodic tasks can be visualized as adding the task to 
a ready queue 890. With reference to Figure 8, the following example is provided: 

10 

let task 1 (t,) have period T, = 10 ms; 

let task 2 (Tj) have period T 2 = 20 ms; 

let task 3 (t 3 ) have period T 3 = 40 ms; and 

let hardware global clock periodic interrupt = 10 ms 

15 

initialize cycle = 0 

case cycle mod 4 is 

when 0 ssdel_comm(T„ x 2 , t 3 ); disp(T„ t 2 , t 3 ) 
20 when I ssdel_comm(t ,); disp(T,) 

when 2 ssdel_comm(T„ tj); disp(T„ tj) 

when 3 ssdel_corran(t,); disp(t { ) 
end case 

25 where: 

ssdei_comm(Ti) means copy all x,. output buffers to executive input 

buffers and copy executive output buffers to all t M input buffers; 
and 

30 <tispCc<) means dispatch task L 

The event handler 620 is executed whenever external interrupts or internal 
software-generated events occur. Message values to be received at the dispatch of 
aperiodic tasks are assigned to their input buffer variables and the tasksaare dispatched. 
35 Figure 9 is a process flowchart of one embodiment of event handler 620. Figure 

9 includes actions boxes 910, 920 and 930. In action box 910, event handler 620 is 
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executed in response to a software-generated event or external interrupt. Upon 
receiving the interrupt in action box 910, event handler 620 assigns message values to 
their task input buffers in action box 920, The aperiodic task or tasks associated with 
the interrupt in 910 are dispatched in action box 930. Control is then returned to the 

5 highest priority ready task. As with dispatch task 610, dispatching an aperiodic task 
includes adding the aperiodic task to the ready queue 890. 

The service component 630 is executed when a task instance completes. The 
completing task is removed from the ready queue 890. Output values produced by the 
completing task are assigned to corresponding executive or receiver task buffer 

10 variables according to rules we present below. These assignments are conditional, 
depending on information recorded at the dispatch of every task that may receive 
undelayed messages. At each dispatch of a periodic task that may receive undelayed 
input from another periodic task, the cycle at which that task is dispatched is recorded. 
At the dispatch of each aperiodic task that may receive undelayed input from another 

15 task, the scheduling state of each sender task (awaiting dispatch, or dispatched but not 
yet completed) is recorded. 

Figure 10 is a process flowchart of one embodiment of service component 630. 
Figure 10 includes actions boxes 1010, 1020 and 1030. In action box 1010, service 
component 630 is executed when a task completes. Upon completion of a task or tasks 

20 resulting in action box 1010, service component 630 removes the completing task or 
tasks from ready queue 890. Output from the completing task or tasks is assigned to an 
executive or receiver buffer in action box 1030. Control then goes to the highest 
priority task in the ready queue. Assignment of output in action box 1030 can be further 
described with reference to Table 1 . 
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Table 1 
Message Passing Timing 



Connection 
Type 


Description 


Pitin <- PS.out 


Copy PS.out to PRin.bufFer at time G^. At time D^ D) = D^, 
copy PR.in.buffer to port PR.in 


DR.in <- PS.out 


At time 1^ copy PS.out to DR.in. 


AR.in <- PS.out 


At time copy PS.out to ARJn.buffer. At time D^, copy 
AK.m ouner to AK-in. 


PR.in <- DS.out 


The device writes to DS.out. At time D^ DS.out is copied to 
port PR.in. 


PR.in <- AS.out 


At time C^, copy AS.out to PR-in.buffer. At time D m copy 
PR.in-buffer to port PR.in. 


AR.in <- AS.out 


At time C m) copy AS.out to AR.ui.bu£Fer. At time D^ n) copy 
PR.in.buffer to port AR.in. 


DR.in <- AS.out 


At time Cg^ copy AS.out to the device's input port 


AR.in <- DS.out 


The device writes to AR.in.buffer. At time D^, ARin,buffer is 
copied to port AR.in. 


PR.in «- PS.out 


If D^j « D^, PS.out is copied to PR.in.buffer at time C^. At 
time S w , PR.in.buffer is input to port PR.in. 


DR.in «- PS.out 


At time C^, PS.out is copied to port DRia. 


ARin «- PS.out 


At time C^ PS.out is copied to AR.in.bufFer. At time S^, 
ArLin.Duiter is copied to ak.ih. 


PR.in «- DS.out 


Ine device wntes to Jrion.DUiicr. At tune 2^ B )» rK-in.Duner is 
copied to port PR.in; 


PR.in «- AS.out 


At time AS.out is copied to PR.in.buEFer. At time S^ 
PR.in.bufFer is copied to PR.in. 


AR.in «- AS.out 


At time C^, AS.out is copied to AR.in.bufiBsr. At time S^, 
AR-in.buffer is copied to AIL in. 


DR.in «- AS.out 


At time C^, AS.out is copied to port DRiia 


AR.in«- DS.out 


At time S Wn> , AR.in is assigned the current value of DS.out. 


where: «- 
<- 


« Undelayed Message Passing 

= Single Sample Delayed Message Passing 
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XR.in = Input buffer for task X,whereX = P (periodic), 

A (aperiodic) or D (device) 
XR.in.buffer = Shadow Input buffer for task X, where X * P, A or D 





XS.out 




Output buffer for task X, where X = P t A or D 


5 


PR 




Periodic Receiver 




PS 




Periodic Senrfer 




AR 




Aperiodic Receiver 




AS 




Aperiodic Sender 




DR 




Device Receiver 


10 


DS 


ss 


Device Sender 




»m 




The next dispatch of the sender task 








The last dispatch of the sender task 








The next dispatch of the receiver task 








The last dispatch of the receiver task 


15 






The next start time of the receiver task 








The next completion time of the sender task 








The next deadline of the sender task 



20 In one embodiment, a priority assignment algorithm assigns a higher priority to 

the sender of an undelayed message than to any of its downstream receivers. 
Downstream receivers include any task, directly receiving the undelayed message, as 
well as all receiving tasks in an acyclic graph rooted at the sender of the undelayed 
message. This guarantees that any task whose buffers are written at the completion of 

25 another task, i.e., any task receiving undelayed values from another task, has remained 
preempted from the time of its dispatch to the time of the assignment and thus does not 
start until after the assignment. 

Whenever possible, a task with high criticaiity but long period is transformed so 
that a deadline monotonic priority assignment can be used. In one embodiment, period 

30 transformation is a form of controlled time-slicing. The compute time of the 

transformed task is divided by some integer value to arrive at a time slice for that task. 
A dispatch of the transformed task is converted into a dispatch followed by a series of 
periodic resumptions. Each dispatch and resumption grants a time slices and after 
exhausting each time slice a transformed task is suspended until its next resumption. 

35 The overall effect is to make a low rate task look like a high rate task with smaller 
compute time, and thus higher priority- 
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For period transformation of periodic tasks, the dispatches and resumptions are 
simply inserted into the proper cases of the dispatcher case statement (Q f is then 
constrained to be a multiple of all transformed periods). Period transformation of 
aperiodic tasks depends on the scheduling protocol used. Period transformation can be 
5 easily applied using the deferrable server protocol, since this protocol is essentially 
controlled time-slicing slaved to the dispatcher frequency. In one embodiment, period 
enforcement is approximated by defining the reenabling of a task as the next dispatcher 
task dispatch, and an analogous approximate period transformation might also be 
performed. Slack scheduling can also be adapted to take criticality into account. 

10 The MetaH toolset generates data tables and code for the dispatcher task 610, 

event handler 620 and service component 630. It further generates and analyzes a real- 
time schedulability model of the task system 100. 

The undelayed message connections and tasks are checked to make sure they 
contain no cycles. Task deadlines are then reduced as needed so thai the deadline of 

1 5 every sender of an undelayed message is strictly less than the deadline of all its 

receivers, A subsequent deadline-monotonic priority assignment phase, which assigns 
higher priorities to shorter deadlines, assigns a higher priority to the sender of an 
undelayed message than to the receiver. This insures that the receiver remains 
preempted and does not start until after the sender completes whenever the conditions 

20 for undelayed transfer are satisfied. . 

In greater detail, the set of undelayed message connections is first checked for 
cycles. Task deadlines are then reduced as needed so that the deadline of every sender 
of an undelayed message is strictly less than the deadline of all its receivers. A 
subsequent deadline-monotonic priority assignment phase, which assigns higher 

25 priorities to shorter deadlines, will assign a higher priority to tfhe sender of an undelayed 
message than to its receivers. This insures that the receiver remains preempted and does 
not start until alter the sender completes whenever the conditions for uipielayed transfer 
are satisfied. 
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accordance with undelayed connection precedence constraints rather than in accordance 
with user-specified criticality attributes when there is such a conflict. User-specified 
criticality values are adjusted upward as needed to remove acceptable conflicts. The 
term internal criticalities is defined to refer to these adjusted criticality values. 
5 As an example, let x y be a task that sends an undelayed message. Let R u be the 

set of all tasks that eventually receive input from x# directly or through intermediate 
tasks via a sequence of undelayed messages. R v contains die nodes of the DAG of 
receiver tasks rooted at x ai and is easily constructed using a transitive closure of all tasks 
and their message connections. Since x u must complete before any task in R u can begin, 

10 the internal criticality of x u is adjusted to be the minimuni of its user-specified criticality 
and the internal criticalities of tasks in R u . 

The list of tasks that send or receive undelayed messages is then sorted by 
ascending internal deadlines. If multiple tasks have equal deadlines, then that sublist is 
sorted by ascending criticality. The result is a sorted list with internal deadline as 

1 5 primary key and internal criticality as secondary key, where internal deadlines and 
internal criticalities are both consistent with each other and ascending. 

The list of remaining tasks (those that neither send nor receive undelayed 
messages) is now merged with this list in sorted order, using user-specified deadline as 
the primary key and user-specified criticality as secondary key. Inconsistencies among 

20 criticality rankings and deadline rankings is permissible in this list These 

inconsistencies will be removed later using period transformation. Internal criticalities 
and internal deadlines are set to the user-specified criticalities and user-specified 
deadlines, respectively. 

The merged list of tasks is sorted using internal deadline as the primary key and 

25 internal criticality as the secondary key. The next step is to transform the periods and 
deadlines of the tasks so that both criticalities and deadlines are in monotonic order. 
That is, all tasks having a first criticality have deadlines that are less thsjn any task 
having a lower criticality. 
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Figure 11 is a process flowchart of one embodiment of the foregoing task list 
generation. In Figure 1 1, the list of tasks that send or receive undelayed messages and 
the list of remaining tasks are generated in parallel. However, there is no requirement 
for such parallel implementation. 

5 Figure 1 1 includes action boxes 11 10, 1 1 15, i 120, 1 125, 1 1 35, 1 140, 1 145, 

1155, 1 160, 1 165 and 1 170, as well as decision boxes 1 130 and 1 150. Generation of the 
list of tasks that send or receive undelayed messages for each processor begins at action 
box 1110, Internal deadlines are set in action box 1115 such that the deadline of every 
sender task is strictly less than the deadline of all its receivers. The list is then sorted by 

10 internal deadline in action box 1115. Internal criticalities are set in action box 1 125 to 
remove conflicts. Decision box 1 130 determines if multiple tasks in the sorted list have 
equal internal deadlines. If yes, the portion or portions of the list having equal deadlines 
are sorted by internal criticality in action box 1 135. If there are no portions of the list 
having equal internal deadlines in decision box 1 130, or following sorting by internal 

15 criticality in action box 1 135, control is transferred to action box 1 165. . 

Generation of the list of tasks that do not send nor receive undelayed messages 
for each processor begins at action box 1 140. The list generated in action box 1 140 is 
sorted by user-specified deadline in action box 1 145. Decision box 1 150 determines if 
multiple tasks in the sorted list have equal user-specified deadlines. If yes, the portion 

20 or portions of the list having equal user-specified deadlines are sorted by user-specified 
criticality in action box 1155. If there are no portions of the list having equal user- 
specified deadlines in decision box 1 150, or following sorting by user-specified 
criticality in action box 1155, control is transferred to action box 1 160 where internal 
criticalities and deadlines are set to the user-specified criticalities and deadlines, 

25 respectively. 

Action box 1 165 merges the sorted list of tasks that send or receive undelayed 
messages with the sorted list of tasks that do not send nor receive unde^iyed messages. 
Hie merged list is sorted with internal deadline as the primary key and internal 
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criticaiity as the secondary key, The merged list is then subjected to transformation in 
action box 1 1 70 to generate the priority sorted list. 

A task is transformed by dividing its period and compute time by some positive 
integer, thus converting it, in this example via controlled run-time time slicing, into a 
5 task with smaller period and deadline and consequently higher priority. 

The transformation algorithm operates on tasks one at a time, starting with the 
task having least deadline. The list of tasks can be viewed as a concatenation of sublists 
HELpUwh&z p is the task currently being transformed, H is the sublist of tasks having 
criticaiity higher than that of p 9 E is the sublist of tasks having criticaiity equal to that of 

10 p, L is the sublist of tasks having criticaiity less than that of p, and U is the 

untransformed portion of the list. The goal is to find an integer divisor of the period 
(and compute time) of p, i.e., a transform-fectori that allows the list to be rewritten as 
HE^pE^U where the tasks in E t and E 2 have criticalities equal to that of p t the tasks in 
£j have no deadlines greater than that ofp, and the tasks in E 2 have no deadlines less 

15 than that of p. 

Several factors complicate the solution to this problem. It is possible to 
construct examples having no feasible integer solution,- where transforming p by 
transform factor./ yields a transformed period too large, but transforming/? by transform 
factor i + 1 yields a transformed period too small For example, consider the criticaiity 

20 ordering A > B > C with the period of A and C equal to 2 but the period of B equal to 3. 
Using the transform factor of 1 yields a transformed period too large, while using the 
transform factor of 2 yields a transformed, period too small. 

A transformed task may need to complete by a preperiod deadline. Thus, 
transformation of the deadline analogous to the transformation of period may be 

25 appropriate. 

Transformation introduces context swap overheads. In one embodiment, these 
context swap overheads are minimized. Furthermore, transformed periods and 
deadlines are preferably multiples of the clock interrupt period. Finally, the sender of 
an undelayed message cannot be transformed* as this might create intervals in which the 
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deadline of the task is transformed in a third scenario, reducing the deadline to increase 
the priority as needed to satisfy the criticality requirement without transforming the 
scheduling of the task. After all scenarios are evaluated over their respective range of 
transform factors, cost is evaluated in action box 1350 for each transform factor of each 
5 scenario. In action box 1360, the scenario and transform factor having the lowest cost 
value is selected to transform the task. The task is transformed in action box 1370. 

After all tasks have been transformed, priorities are assigned in the order in 
which tasks appear in the final list. The ordered priorities of the transformed tasks 
represents an assigned scheduling priority. The assigned scheduling priority is utilized 
1 0 by the executive for ordered execution of the tasks on a processor within the multitask 
system. 

As one example, in an implementation of the invention using the MetaH toolset, 
the MetaH toolset generates a linear schedulabiiity model, one in which each task may 
be described as a sequence of task components. Each task component may be shared by 

1 5 other tasks and may block other tasks. In general, actions that are performed by the 
executive task 150 on behalf of a particular task 1 10* such as message passing, are 
modeled as components of that task and blocking times for other tasks of higher 
priority. Compute times for generated executive components are produced by the 
MetaH tool using attributes of the target hardware, e.g., buffer assignment times are 

20 estimated by the linear function + A 2 * b, where b is the number of bytes being 

assigned and A x , A 2 are intercept and slope attributes defined in the MetaH processor or 
bus specification. The mapping between specification, implementation, and model is 
thus more detailed than a simple list of tasks and their parameters. Analysis is 
performed using an extension of an exact characterization algorithm that allows tasks to 

25 be decomposed into components and provides compute-time sensitivity analysis 
information. 

The various embodiments of the invention will not always produce a user- 
specified deadline monotonic priority assignment. Many schedulabiiity analysis 
methods welt known to those skilled in the art work with any priority assignment 
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without assumptions or special constraints on the relationship between priorities and 
deadlines, periods, or minimum interarrival rates and can be used with the approach of 
the embodiments. 

The solution of the various embodiments remains valid for tasks that use real- 
5 time semaphores, providing the semaphore protocol does not allow the processor to 
execute at a priority lower than any task that is awaiting a semaphore. This condition is 
necessary to insure that preempted receivers of undelayed messages cannot start when a 
sender blocks on a semaphore. This is true of the ceiling priority and all the priority 
inheritance semaphore protocols. 
10 The various embodiments of the invention further support dynamic 

reconfiguration, or mode changes. In one embodiment, mode changes are restricted to 
hyperperiod boundaries. Transition modes are introduced for each user-specified mode, 
change, and the dispatcher may perform process starts and stops and slightly different 
patterns of message passing in a transition mode* MetaH hierarchical mode 
1 5 specifications makes it possible for modes to share subsets of tasks and connections in 
complex ways. The algorithms thus presented are performed for the union of allmodess 
in a system, followed by a post-processing phase to reduce the number of priority levefls 
required. 

Selecting clock interrupt rates may be an issue in distributed real-time systems.. 

20 Temporally deterministic message release times may be needed to assure hard end-to- 
end deadlines. Clock interrupt periods may be desired that not only divide the user- 
specified periods and deadlines, but also provide convenient transformed periods and 
convenient network message release times. 

The various methods of the invention provide a model adapted to analyze the 

25 timing behavior of a task system, and in particular, modular mission-critical software 
systems, high-rate applications and microcontrollers. Use of such models permits off- 
line analysis and configuration to tailor an executive for each system, r|ther than relyimg 
on a generic executive, which allows a simpler, smaller and faster executive. Such 
models further assist the formulation of well-structured specifications for task systems*, 
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which may permit the creation of more structured and traceable code underlying the task 
system. 

While the example embodiments describe multiprocessor task systems 
communicating on a single bus, the invention is not limited to single-bus systems. 
5 While it is preferred that multiple processors be connected by relatively high-speed, 
low-latency busses for efficient transfer of single sample delay messages, distributed 
systems may be utilized where scheduling approaches allow for a single sample delay 
message to be released with a specified deadline on the network, and where 
communication take place concurrently with processor execution. 

10 Models produced using various embodiments of the invention can be used to 

define electronic systems to carry out the scheduling and message passing activities of 
the multitask systems. The electronic systems described make use of a variety of 
electronic equipment having processors utilizing instructions in machine-readable form 
to carry out the methods described herein. Figure 14 depicts a block diagram of a 

15 processor 1410 coupled to a machine-readable medium 1420. Processor 1410 may be 
further coupled to bus 1430 for communication to other processors. Machine-readable 
medium 1420 may include fixed devices coupled to processor 1410, such as internal 
magnetic medium or programmable memory device. Machine-readable medium 1420 
may further include removable devices coupled to processor 1410, such as removable 

20 magnetic medium or programming cartridge. Machine-readable medium 1420 contains 
instructions stored thereon, in machine-readable format, capable of causing processor 
1410 to carry out the methods described herein. 

Conclusion 

25 Methods are disclosed useful in modeling real-time periodic and aperiodic task 

scheduling and message passing within multitask systems. Models produced using 
methods of the invention are adapted to analyze the timing behavior wi$iin such 
multitask systems. The methods utilize undelayed and single sample delayed message 
connections among software task objects and hardware objects. Task priorities are 
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with it at least one I/O buffo: selected from the group consisting of input 
buffer and output buffer, and wherein communications with each I/O 
buffer is adapted to one message type selected from the group consisting 
of undelayed messages and single sample delay messages; and 
an executive in communication with the processor and controlling dispatching of 
tasks on the processor and communications among the I/O buffers, 
wherein the executive comprises: 

a periodic dispatcher that manages dispatching of periodic tasks and their 

single sample delay communications; 
an event handler that manages dispatching of aperiodic tasks and their 

single sample delay message communications; and 
a service component that manages task completions and all undelayed 

message communications. 

L7. The multitask system of claim 1 6; further comprising at least one executive 

buffer interposed between an output buffer of a first task and an input buffer of a 
second task. 

18. Hie multitask system of claim 16; further comprising at least one hardware 
object in communication with at least one of the plurality of tasks. 

19. The multitask system of claim 1 6, wherein the multitask system is a flight 
control system. 

20. A multitask system, comprising: 
a processor, 

a plurality of tasks operating on the processor, wherein each tas| of the plurality 
of tasks is of a task type selected from the group consisting of periodic 
and aperiodic, wherein each task of the plurality of tasks has associated 
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with it at least one I/O buffer selected from the group consisting of input 
buffer and output buffer, and wherein communications with each I/O 
buffer is adapted to one message type selected from the group consisting 
of undelayed messages and single sample delay messages; 

at least one hardware object in communication with at least one of the plurality 
of tasks, wherein each at least one hardware object has associated with it 
at least one VO port selected from the group consisting of input port and 
output port, and wherein communications with each I/O port is adapted 
to one message type selected from the group consisting of undelayed 
messages and single sample delay messages; and 

an executive in communication with the processor and controlling dispatching of 
tasks on the processor and communications among the I/O buffers and 
ports, wherein the executive comprises: 

a periodic dispatcher that manages dispatching of periodic tassks and their 

single sample delay communications; 
an event handler that manages dispatching of aperiodic tasks and their 

single sample delay message communications; and 
a service component that manages task completions and all ucdelayed 

message communications. 

21. A method of undelayed message communication between a periodic sender task 
and a periodic receiver task, comprising: 

dispatching the sender task and the receiver task substantially at the same time; 
executing the sender task to completion while preempting execution «of the 
receiver task; 

transferring a message from the sender task to the receiver task; and 
executing the receiver task upon receipt of the message. 
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22 . A multitask system, comprising: 
at least two periodic tasks; and 

a first set of undelayed message connections associated with the at least two 
periodic tasks, each undelayed message connection of the first set 
adapted to communicate from a sender task to a receiver task of a pair of 
periodic tasks; 

wherein the first set of undelayed message connections and the at least two tasks 

form a directed acyclic graph; 
wherein every pair of periodic tasks that communicates by an undelayed 

connection has harmonic periods; and 
wherein communication across each undelayed message connection of the first 

set occurs upon completion of its associated sender task. 

-.23. The multitask system of claim 22, wherein a sender task of a pair of periodic 
tasks is allowed to have a lower criticality than a receiver task of the pair of 
periodic tasks only if the sender task has enforced compute time and minimum 
event interarrival times. 

24. The multitask system of claim 22, further comprising: 
at least one aperiodic task; and 

a second set of undelayed message connections associated with the at least one 
aperiodic task, each undelayed message connection of the second set 
adapted to communicate from a sender task to a receiver task of a pair of 
tasks selected from the group consisting of two aperiodic tasks, and one 
periodic task and one aperiodic task; 

wherein communication across each undelayed message connection of the 

second set occurs at the next instance of the receiver tas| dispatched at or 
following a dispatch of the sending task. 
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25 . The multitask system of claim 24, further comprising: 

a set of single sample delay message connections associated with the at least two 
periodic tasks and the at least one aperiodic tasks. 



26. The multitask system of claim 22, further comprising: 
at least one hardware device; and 

a third set of undelayed message connections associated with the att least one 
hardware device, each undelayed message connection of the third set 
adapted to communicate from a sender selected from the group 
consisting of a hardware device and a task to a receiver selected from the 
group consisting of a task when the sender is a hardware device and a 
hardware device when the sender is a task, wherein the task is selected 
from the group consisting of the at least two periodictasks and the at 
least one aperiodic task; 

wherein communication across each undelayed message connection of the third 
set occurs at the dispatch of the receiver when the receiver is a task and 
at the completion of the sender when the sender is a task. 
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